Rules around consent, cross-border data transfers, and implementation cost among primary concerns
In the lead-up to the implementation of the bulk of North America’s “most stringent” and “far-reaching” privacy law, many clients from Quebec, from elsewhere in Canada, as well as from the US contacted Gowling WLG confused about the law’s immanent requirements, says Marc-Antoine Bigras, an associate at the firm.
Gowling then teamed up with Interactive Advertising Bureau Canada (IAB) and surveyed more than 100 organizations in various business sectors to measure their level of preparedness for the key provisions of Quebec’s Law 25 coming into effect Sept. 22.
Sixty-nine percent of respondents said greater clarity around the law’s practical requirements was necessary. Sixty-seven percent said they were concerned about the risk of penalties and sanctions for non-compliance. And 52 percent said their organizations lack sufficient resources to implement Law 25’s requirement. The report noted that lawyers and clients await further guidance from the Commission d'accès à l'information du Québec (CAI).
“All of us are still waiting with bated breath for guidelines on how to interpret this,” says Bigras. “We just realized there was still a lot of work to be done in understanding what everything meant.”
The top three concerns about Law 25’s requirements related to implementation cost (54 percent), cross-border data transfers (50 percent), and consent (48 percent). For additional measures or resources that would help enhance organizational confidence with the law, 52 percent said delaying the coming into force would be most helpful, and 20 percent said it would be additional guidance from CAI on the proper practical steps they should take to achieve compliance.
Penalties for non-compliance can reach $10 million or two percent of the business’s annual revenue. Only 15 percent of the survey respondents said they believed the penalties were fair, and 61 percent reported they were not sure they understood when monetary administrative penalties would apply as opposed to when penal proceedings would be brought.
“A lot of businesses are taking this really seriously and are kind of in a conundrum because they don't really understand what they have to do,” says Bigras. “But they know they got to do something or else they will be slapped with these fines.”
The survey indicated confusion around the rules for browser cookies, notifying users when a privacy policy or procedure changes, and communicating personal information outside of Quebec, he says.
Under Law 25, anytime an organization sends personal information outside of Quebec, it is required to conduct a privacy impact assessment. This is a significant burden for small and medium-sized businesses, and more guidance on the threshold amount of personal information that would trigger the requirement or the level of sensitivity that is necessary would be helpful for them, says Bigras.
Quebec will join Europe and become unique in North America in requiring privacy impact assessments whenever an organization implements a system involving personal information. He says the same types of details on the threshold that would trigger this requirement would also be useful.
In their additional comments, survey respondents said that the lack of guidance leading up to Law 25 was a “serious problem” and “unreasonable” and that the express consent requirements would likely cause “major consent fatigue.”
Bigras says he is advising businesses to develop a plan based on their reasonable interpretation of the act, aligned with standard business practices, and to adhere to the plan until further guidance is available.
"Despite Law 25 having come a long way since its introduction under Bill 64, unresolved questions of interpretation and implementation spell a challenging rollout of the legislation in September," said Antoine Guilmain, co-leader of Gowling WLG's national cyber security and data protection group.
“With the survey findings top of mind – and as we await further guidance from the Commission d'accès à l'information du Québec – our first priority is to help clients understand precisely how Law 25 applies to them and, from that understanding, develop practical, cost-effective strategies for compliance.”
President of IAB Canada Sonia Carreno said the findings show a “clear sense of urgency to implement appropriate and proven frameworks that will enable the industry to strike a balance between innovation in the important and growing Canadian digital advertising sector, with the protection of citizen rights to privacy.”